FPII-2316: Elevation of privilege vulnerability in kernel security subsystem CVE-2014-9529 A-29510361 When a key is being garbage collected, it's key->user would get put before the ->destroy() callback is called, where the key is removed from it's respective tracking structures. This leaves a key hanging in a semi-invalid state which leaves a window open for a different task to try an access key->user. An example is find_keyring_by_name() which would dereference key->user for a key that is in the process of being garbage collected (where key->user was freed but ->destroy() wasn't called yet - so it's still present in the linked list). This would cause either a panic, or corrupt memory. Change-Id: I1c61e596acd093d5f3d3a76c58dbae9d6019867d

commit: f9a4bd20685aaf08ea1d1d2b499ad17489ee0386 [log] [tgz]
author: Jeron Susan <jeron.susan@hi-p.com> Wed Aug 24 13:46:29 2016 +0800
committer: Teemu Hukkanen <teemu@fairphone.com> Wed Sep 21 14:27:23 2016 +0200
tree: 1b4d1796a7f79252054ce65a868209260a540869
parent: a5e23b1eef1261e0d1df38776d06ffb6f06f14c8 [diff] [blame]
diff --git a/security/keys/gc.c b/security/keys/gc.c
index a42b455..e9e1937 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c

@@ -188,12 +188,13 @@
 	if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
 		atomic_dec(&key->user->nikeys);
 
-	key_user_put(key->user);
 
 	/* now throw away the key memory */
 	if (key->type->destroy)
 		key->type->destroy(key);
 
+	key_user_put(key->user);
+
 	kfree(key->description);
 
 #ifdef KEY_DEBUGGING
commit	f9a4bd20685aaf08ea1d1d2b499ad17489ee0386	[log] [tgz]
author	Jeron Susan <jeron.susan@hi-p.com>	Wed Aug 24 13:46:29 2016 +0800
committer	Teemu Hukkanen <teemu@fairphone.com>	Wed Sep 21 14:27:23 2016 +0200
tree	1b4d1796a7f79252054ce65a868209260a540869
parent	a5e23b1eef1261e0d1df38776d06ffb6f06f14c8 [diff] [blame]